Hi all,
I´m searching for a simple fully documentation of “connect a SLES 11 as a LDAP SSL client to a LDAP Server”
Could please help me find something suitable. We already have a LDAP Server I just want to connect my SLES so auth the users to LDAP.
I´m getting mad by trying to find any suitable.
Thanks a lot !
*T
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Have you found this yet?
That, plus some other possibly-relevant articles, came up Googling for
the following:
sles 11 ldap client
Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBAgAGBQJQkRSZAAoJEF+XTK08PnB5yiUP/0p7NEswrM46zzljobEEcZgt
AiYapFSwLT1BjbrauH9nqn6aj/B7JlJ2Z66qKvpeEYVRJc/87e6x7X2+2poCzm2M
jum6Lsyez0SU1F9aBDHObQmhZUbfYMIC6Iosmp4pq6hI282zJg0OjFKN18Pi3a4W
OkvJ5Kq1pd9+EGJ/Feg7Dc3fJAMY0sov2mxD5zY4x7h2ReeBK2q4HwdvHC7QNGx6
88Yi4XEhHK2jPY29QZgw7VlbkVWP1uqXXmHr2vWsBfr2mHuMKGq+BTMzhjXZoo35
kLMrexknUMqkV+7OApk/VC3/1XECaWPAiWgQv1t7FvTgWTtkk6B5n/HeVRmXTccH
NLVhOUAaJVq8WHgNESO8qQTt0M4OG4E1z3kIDrXy9p5sZkcpndcocSGxFkmmdQST
XZyFjCqTzaXgqmid9+pqwUMKf4kJrh6Cz4RV0LVXdHhIk1bwijAaZ2A2nofloOPa
+yNdl67DixjB+J0t22NHlN4MCOcRsyCSHMz/+bhLMdO4m44Ee6I7D4/T2oik+dvY
pLWMMx0oFnmlrvQVqN5Szar/Wj5RN3ev38stN9vQyMXzxLPllpCpOCnrxxAsdmC8
+4DwLvSKnK6CSgpTHMOZU1zYMDMQMRSr1y5nN1EUJPJEjl7jAyK1tc9yF30K7Raj
GmIRLT7m8XRSwStJF4Jy
=8Mfv
-----END PGP SIGNATURE-----
Hi tbrinkmann,
what LDAP server? Does it already contain a user base and if yes, how’s that organized? (If the server is already used to authenticate SLES or other Linux users, then this should be fairly easy. But YMMV, especially if it is some random LDAP server with some obscure layout for existing user/group data…)
How much experience do you have with LDAP? Ae you using SSL just because it can be done or because you have security policies to implement? In the latter case, the LDAP access might be worth discussing, too.
There’s the plain & simple way to do things, there’s the secure way to do it, and there are many "in-between"s.
Regards,
Jens
Re,
thanks for you replays. The problem was an wrong ssl-cert. I needed to convert the cert from der to pem.
After this the LDAP auth runs well.
So we use an OES E-Dirctory and that is my first experience with LDAP. My Problem on this point now ist that every user from the E-Dir can successful auth on my test
server. Can you give a small hint where to configure policies that only users from an certain group can connect via LDAP.
Thanks a lot !
*T
Hi *T,
that’s an easy one: In /etc/ldap.conf on the client (the server you want to limit access to) you can set “pam_groupdn” to the DN of the group that contains the list of permitted users (as fully qualified DNs), i.e.
pam_groupdn cn=servername,ou=hostaccess,ou=group,dc=company,dc=comThe actual member of that node to contain the list of users is defined in the same file, i.e.
pam_member_attribute memberIf OES stores the values at other locations, you need to adopt these statements.
Regards,
Jens
PS: I advise to keep an open root ssh session to the server while doing these changes. If you limit server ssh access to non-root users and incorrectly set those ldap.conf parameters, there’s no way to get into the system rather than via console… which may or may not be available at that time 
Re,
questions again :-/
Does I need to create the users locally ?
Does I need to configure the modules for yast ?
It looks like that if I configure the pam_groupdn the system does ignored it.
Greetings *T
Hi *T,
we’re running LDAP-based users with per-system, LDAP-based “access” groups. No need to create the users locally and no need to do anything for YaST (though, as I’m doing many things via config files rather than YaST, my understanding of “to configure the modules for yast” may be different from yours).
Once we’ve set up the pam_groupdn statement, access to the system was limited to those users who are members of the group.
Come to think about it, you have set up PAM for LDAP support? You wrote “After this the LDAP auth runs well.” somewhere above, so I assume that the proper PAM modules are in place. Is your pam_ldap.so entry defined as “sufficient” or as “required”? IIRC the “password” stage is the important one, but I’m not sure - could be “session” as well.
Regards,
Jens
Hi Jens,
thanks for helping me to dig this out. We move a little bit forward now we face the problem that we can not see any EDirectory groups.
We can browse the LDAP users in EDirectory but the users details not show any groups for the users. Also if we browse the user groups in yast we also see no groups.
In the EDirectory we have a lot of groups…
Do you have any idea why we cannot see user.
*T
Hi *T,
there may of course be many causes to that :(.
Basically it boils down to matching the eDirectory content with what Linux client services expect to find inside the LDAP tree. Of course, the Linux system has to be set up to look at the LDAP information, too, but I take it that this has been already configured.
Searching for some details (I’m no eDirectory expert) I came across the following article describing the integration of Linux accounts into an eDirectory: http://wiki.njh.eu/Authentifizierung_%C3%BCber_eDirectory This is an article in German - maybe some online translation tool can provide sufficient services to at least grasp the basic steps described there if German isn’t your native language. Chapter “2.1.1” seems to be what you’re looking for.
Regards,
Jens
Re,
thanks for you help ! We opened a novell support ticket.
GrüÃe aus Bochum. *T